As a result, it is required to create a Penetration Testing Framework specifically for BFSI applications. In the following section, we will describe some of the key vulnerability classes that should be a part of the BFSI applications Pentest framework.

Key Vulnerability Classes Covered

BFSI classes of applications have tremendous amount of logical and sophisticated functionality to perform security assessment. Following is a partial list of vulnerabilities classes tailored specific to BFSI applications/

Authorization and RBAC Flaws: This class consists of comprehensive RBAC security assessment from multiple perspectives, some of them are listed below:

○ URL based and Object based access controls.

○ Horizontal and vertical privilege escalations.

End User Security Management Flaws: In this class, various flaws are tested related multiple mediums of authentications specifically designed for various purposes for examples PINs, Smart Cards, Multi Factor Authentications etc.

Denial of Service (DoS) Flaws: In this class of flaws, apart from conventional DoS attacks, various logical flaws that may lead to Denial of Service to all or few tenants of the application. Some examples are as follows:

○ Slow POST Requests

○ Slow Batch Processing Requests m

○ Starving other tenants by misusing long running jobs, or consuming too many resources.

Conventional Vulnerabilities

○ SQL Injection, Cross Site Scripting (XSS), CSRF and other vulnerabilities defined as part of OWASP

Sample Vulnerabilities

Weakness: The Banking application does not verify whether the required amount is successfully paid at the Payment Gateway Side, or what amount is being paid at the Payment Gateway Side. As a result, a virtual card can be recharged with higher amount while paying a lower amount to the bank by modifying amount when the request is sent from payment gateway to the bank. So, Business Logic Testing is mandatory.

2. NO VALIDATION ON BANKING APPLICATION’S CALLBACK URL:

Weakness: There is lack of validation on the Banking Application Side when the Payment Gateway redirects a user to the Banking Application’s callback URL. As a result, a virtual credit card can be created without paying any service charges, by sending the request directly to the callback URL of Payment Gateway.

3. VIRTUAL CREDIT NUMBER IS PREDICTABLE:

Weakness: Generated Virtual Credit card numbers are predictable or follow certain patterns. As a result, an attacker can predict what virtual credit card numbers are being used by other legitimate users.

4. NO ANTI-AUTOMATION IN VIRTUAL CREDIT CARD DETAILS VERIFICATION:

Weakness: There is no anti-automation (e.g. CAPTCHA) while verifying the Virtual Credit Card details such as CVV number and expiry date. The Credit Card number is sufficiently long however, the CVV number is generally a 3 digit number and expiry date is also a 2 digit number. As a result, it is possible to brute force the CVV number and expiry date, and shop online using a stolen virtual credit card number.

Related posts

As part of penetration testing and secure code review engagements with product companies, we generally found that 7 to 12 year old product has code base massive in size and scale, what they call internally a “Beast”. Interestingly, we get only few weeks to tame the beast!!! In this blog post, my objective is to describe baseline threat model and checklist to evaluate security of an enterprise product. It will also describe a high-level approach that can be used in any source code / architecture review engagement. Secure Code Review Steps: Create Architecture For a large and complex enterprise product,...

What is ShellShock Bug? Shellshock is a security vulnerability(CVE-2014-6271) in the widely used Unix Bash Shell which was discovered by Stéphane Chazelas on 12 September 2014 and disclosed on 24 September 2014. Subsequently, various researchers have discovered multiple other vulnerabilities in bash. What is the Vulnerability? The Unix Bash Shell stores exported function definitions in environment variables. When a new instance of bash is launched, it reads these specially crafted environment variables, and interprets them as function definitions. Unfortunately, due to insufficient constraints in the determination of acceptable function-like strings in the environment, the parsing of these function definitions from the environment variables...

There has been a lot of buzz about Heartbleed[1] in the news recently. In this blog post, we have tried to put together the important things that one should know about Heartbleed. What is Heartbleed? Heartbleed is the popular name given to the recently found vulnerability(CVE-2014-0160) inOpenSSL – an open-source encryption library. More specifically, this is a bug in the OpenSSL Heartbeat protocol which results in a vulnerable server to leak or bleed confidential content in its memory space (and hence the name ‘Heartbleed’). What’s Heartbleed bug? OpenSSL is the most popular open-source library providing implementations of various cryptographic functions and SSL/TLS...

Over the past decade, E-Commerce applications have grown both in terms of numbers and complexity. Currently, E-Commerce application are going forward becoming more personalized, more mobile friendly and rich in functionality. Complicated recommendation algorithms are constantly running at the back end to make content searching as personalized as possible. Why a conventional application penetration testing is not enough for E-commerce Applications? E-Commerce applications are growing in complexity, as a result conventional application penetration is simply not enough. Conventional application penetration testing focus on vulnerability classes described in OWASP or WASC standards like SQL Injection, XSS, CSRF etc. (Read More: 5...

3 comments

Superb site ƴoս have ɦere but I was wanting to know if yoou knew
of any forums tҺat cover tҺe samе topics discussed
Һere? I’d rеally like to be a ƿart օf group wherе I ccan get sutgestions fгom ߋther knowledgeable people tɦаt share the sɑme inteгeѕt.
If you havе any suggestions, please lеt mee know.
Ҭhanks a lot!